ClawHub

Fintech Research

Security checks across malware telemetry and agentic risk

Overview

The skill is a coherent finance research toolkit, but it exposes an overbroad local database tool and loosely scoped workflows that should be reviewed before use.

Install only if you are comfortable with a local MCP server that can contact public finance/news providers, cache data locally, and let the agent run raw SQL against its cache. Use it in a dedicated workspace, avoid sharing confidential portfolio or unpublished research unless you understand where it will be stored, and treat `run_sql` as a manual-review feature until it is restricted to read-only SELECT queries.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (23)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill advertises use of environment variables and multiple network-backed data sources, but it does not declare permissions for those capabilities. That creates a transparency and consent problem: users may invoke a seemingly harmless research skill without clear notice that it can access API keys and make outbound requests. In a tool-integrated agent setting, undeclared env/network access increases the risk of unintended data exposure or external communication.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The skill repeatedly forbids automatic task chaining, but this section tells the agent to execute missing prerequisite tasks automatically after verification fails. That contradiction can cause the agent to take additional actions the user did not explicitly request, expanding scope and potentially triggering unintended network access, file creation, or downstream processing. In a multi-step workflow with external data access and local file operations, this is a real unsafe-instruction flaw.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The `run_sql` tool claims to be read-only, but it executes whatever SQL string the caller supplies with no enforcement that the statement is a `SELECT` or otherwise non-mutating. In an MCP context, this exposes the local SQLite cache to arbitrary modification, deletion, schema changes, or database corruption by any agent or prompt that can invoke the tool, making it significantly more dangerous than a normal analytics helper.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The trigger map uses broad natural-language phrases like 'analyze,' 'monitor,' and 'macro,' which can cause accidental or overly eager routing into privileged skill workflows. In an agent setting, ambiguous activation can lead to unintended tool use, external data access, or execution of research behaviors based on casual user text rather than an explicit command.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The README explicitly states that users can issue requests in natural language and that Claude will route them directly to skills via an intent map. Broad activation language increases the chance that ordinary conversation, ambiguous prompts, or pasted third-party text unintentionally triggers skill workflows and external data access, which is a real prompt-routing safety issue even though it appears product-driven rather than malicious.

Vague Triggers

Medium
Confidence
89% confidence
Finding
Telling users to 'just enter what you want to do' makes invocation boundaries unclear and encourages unrestricted free-form prompting as a control surface. In a skill that can automatically route requests to analysis workflows and a local MCP server, unclear startup conditions can lead to unintended execution, accidental data retrieval, or easier prompt injection through seemingly harmless text.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The trigger phrases include common words like 'analyze', 'monitor', 'track', and 'find ideas', which are broad enough to match ordinary conversation. In an agent environment this can cause accidental skill invocation, leading to unexpected network calls, external data retrieval, or use of local tools without the user intentionally selecting this skill. Because this is a finance research skill with data-fetching capabilities, unintended activation is more consequential than for a purely local formatting skill.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The trigger list includes broad natural-language phrases like "find ideas," "what looks interesting," and "new ideas," which can match ordinary conversation outside the user's intent to invoke this specific skill. In an agent setting, overly broad activation can cause unintended execution of investment-screening workflows, leading to irrelevant actions, confusion, and possible use of external data/tools when the user did not explicitly request them.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
Task 5 directs the agent to read local markdown, Excel, and image files and write a DOCX output, but it does not require explicit user confirmation or a clear notice that local files will be accessed and modified. This can lead to unexpected file-system side effects, including reading sensitive project files or creating outputs in locations the user did not anticipate. For agent skills, undisclosed file operations are a genuine safety issue.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
Task 4 requires pulling historical stock price and valuation-multiple data from external sources without telling the user that network access may occur or that company/ticker information may be sent to third-party services. Even if the data is public market data, silent outbound requests create privacy, compliance, and transparency risks, especially in enterprise or restricted environments.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The workflow explicitly instructs extraction of a ZIP archive into a working directory and creation of a DOCX output file, but it does not require user confirmation or clearly disclose that the skill will write to disk. In an agent setting, silent file creation and archive extraction can lead to unintended filesystem changes, overwriting files, or unsafe extraction behavior if archive paths are not validated.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The instructions direct the agent to read multiple local markdown, spreadsheet, image, and source files, but provide no privacy notice, scope limitation, or consent mechanism for accessing potentially sensitive local data. In a research workflow, these files may contain proprietary financial models, unpublished analysis, API-derived data, or confidential source material, so broad undisclosed file access increases data exposure risk.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The trigger phrase "review my positions" is broad enough to match ordinary portfolio conversation that may not be intended to invoke this specific skill. In an agent environment, overly generic triggers can cause accidental activation, leading to unintended collection, persistence, or summarization of sensitive investment thesis data across sessions.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The trigger list includes very common finance terms such as "earnings" and "results," which can cause the skill to activate in unintended contexts. Over-broad activation increases the chance of misrouting user requests, applying the wrong workflow, and producing analysis scoped to earnings when the user intended a different task.

Natural-Language Policy Violations

Medium
Confidence
83% confidence
Finding
The workflow immediately imposes Hong Kong-specific assumptions, including reporting cadence and HKEX concepts, without first confirming the market or security type. In non-HK contexts this can lead to incorrect framing, wrong expectations about disclosures, and misleading output that appears authoritative.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The trigger list contains very generic terms such as "jobs" and "wages," which are common in many unrelated conversations. This can cause the skill to activate unexpectedly, leading to irrelevant financial analysis, prompt routing errors, or unnecessary external data lookups that increase noise and operational cost.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The trigger list includes broad generic terms such as "rates" and "Fed," which can cause the skill to activate in many unrelated financial conversations. In an agent system, overbroad invocation can steer users into unintended workflows, inject irrelevant analysis, and increase the chance that downstream tools are called without clear user intent.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The phrase "better value" is ambiguous and can match broad conversational language rather than a clear request for comparable securities analysis. This increases the chance of accidental skill invocation and inappropriate execution of research steps or external data fetches, but the surrounding finance-specific content keeps the likely harm relatively low.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The phrase "better value" is ambiguous and can match broad conversational language rather than a clear request for comparable securities analysis. This increases the chance of accidental skill invocation and inappropriate execution of research steps or external data fetches, but the surrounding finance-specific content keeps the likely harm relatively low.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The trigger list includes generic phrases like "events", "what's coming", and "announcements", which are common in normal conversation and can cause unintended invocation of this skill. In an agent setting, overly broad triggers may route unrelated requests into market-monitoring workflows, leading to incorrect tool calls, unnecessary data access, or confusing outputs.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The trigger list includes common portfolio-management phrases like "thesis check," "thesis review," "conviction," and especially "still hold," which can appear in ordinary financial discussion without an explicit intent to invoke this skill. That can cause accidental activation, unnecessary data retrieval, and unintended thesis evaluation behavior in contexts where the user was only asking a general question.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The trigger list includes very generic phrases such as "track" and "my list," which can match normal conversation unrelated to this skill and cause unintended activation. In an agent setting, misrouting user requests can lead to unintended data access, watchlist modification, or confusing execution flow, especially because this skill supports add/remove operations and persistence across sessions.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The documentation explicitly advertises a tool that executes arbitrary SQL against a local SQLite cache database, but provides no guardrails, read-only limitations, or warnings about destructive statements. In an agent skill context, exposing arbitrary query execution can enable unintended data modification, deletion, schema damage, or abuse of dangerous SQLite features if an agent or user passes untrusted input.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal